Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.
How to get an IT Audit job with little or no experience
Use LinkedIn to get an IT Audit job
New IT Auditors Should Start Here (list of good IT audit posts on this blog)
How to Describe What an IT Auditor Does?
Top 10 Reasons to be an IT Auditor
What Everybody Ought to Know About Auditor Secrets
What IT Auditors Ought to Know – and Don’t!
ITauditSecurity 
May I request you to enlighten on the major areas in IT which are subjected to audit. The reason for this question is that I have been working for the past 5 years in IT audit. I am finding majority of my work is either towards IT processes such as change, incident management, IT asset Management, Patch management or towards examining configurations are as per standard configurations. Sometimes towards compliance with laws (I am from India which does not have many IT laws to abide by).
I am kind of feeling saturated..Is that all the area all IT audit is all about?
LikeLike
sysaudit,
IT processes and configurations is pretty much the bulk of IT audit. However, you didn’t mention user access explicitly, but I assume that’s one of the IT processes you review.
There’s also review of policies and regulations (in the US, the bulk of the ‘IT laws’ are around finances and security).
Do you use analytics in your audits? Did you see the post about the Server Audit for the Dauntless, for example?
How about IT audit of your vendors (although that’s another flavor of what you’re already doing for internal company processes).
Have you looked at IT processes such as cybersecurity (vulnerability management) or how efficient is IT?
Do you review the governance and risk management of new initiatives like business intelligence, robotics, and agile methodologies?
Do you validate the feeds between applications, the transformations performed on that data, and the applications that assist and monitor those feeds (such as batch scheduling systems like Autosys or Informatica, which also applies transformations and business rules.
I know I’m missing a few areas in the above list (help us out readers). So again, yes, that is mostly what IT audit is, but the companies I’ve worked at always have something new to look into.
I realize YOUR company may not do all these things or even want them done, but they are options.
LikeLike
I just passed my CISA examination. Somehow I still don’t feel that confident as I am from a finance background. Should I look into technical certifications? Thanks.
LikeLike
Kyle,
Totally get where you’re coming from. I started as an accountant and felt the same. I highly recommend CEH. It’s basically Security+ and add the tools for hacking. The exam is a little bit on the expensive side so if you can’t do it, I’d at least pick up a study guide and go through it. It’ll teach you the security aspect of things.
LikeLike
Kyle and Yo,
While I appreciate your comments Yo, I have to disagree with you. I think the CISSP is more valuable to an auditor in terms of auditing and pay/respect. Most companies don’t allow their audits to do CEH kind of testing.
Also, IMHO, if you’re not an IT person already, I think you’d struggle getting into CEH stuff. That gets really technical, especially after you get past the script kiddie stuff.
The CISSP is more foundational and will give you a broader understanding of IT and technology. It will also be helpful if you later decide to move into general IT later in your career. The CEH won’t be as transfer-able.
Ok, I’ve said my piece. Yo, want to elaborate on why you think CEH is the way to go?
LikeLike
Kyle,
One other thought. When I entered IT audit, I wasn’t that confident either, but my reason was that I didn’t understand audit. While I think auditing is easier to learn than IT, you’ll grow into it.
My suggestion is to google stuff before you start your audit and during your audit so that you can ask good questions (you’ll understand at least the bare basics) and to check the answers that IT folks give you.
Sometimes you’ll be learning along side the IT guy, because not all of them know their own stuff.
Learning the basics on your own saves you and your auditee time; then both of you can focus on the bigger and risker issues.
LikeLike
Mack,
I was looking at it from a perspective of a hands on experience. I’m a hands on learner and cant count the number of times I’ve tried to memorize the OSI model only to forget and not understand it. It wasn’t until I got into studying CEH I finally digested the stuff – that’s when I finally was able to correlate technical stuff.
I was also under the assumption that Kyle had experience (bad auditing in my part) but you’re very right without prior IT experience CEH will be very difficult to consume. Just as I said in my other post CISSP being 1 mile wide and 1 inch deep – I think I’m with you on this one Mack. CISSP will be best bet for Kyle.
I was very nervous when I started with IT audit (even though I’ve had some ERP support role and IT courses in college programming etc). I think part of it is learning on the fly and understanding the appliance and technology being used. Part of that is self-taught and researching on your own like what Mack said. With IT there’s always a new technology coming in so it’s also our job to learn how it’s being used.
Mack – thanks for giving me the opportunity to contribute. I appreciate it!
LikeLike
Yo,
Everyone learns differently. Thanks for sharing your perspective.
I think we’ll all nervous when we start in IT audit.
Heck, my last audit made me nervous. Toughest one I ever did. But I got through it, learned a lot, and had some interesting findings, which some of the SMEs thanked me for, which seldom happens.
Looking forward to your future contributions, Yo!
LikeLike
It’s great to know how it worked out for both of you. While carrying out my IT audit work as usual, I’m actually looking at some CCENT materials, as I heard networking basics are essential before looking into security. I think I’ll spread my effort into these domains then. Thanks!
LikeLike
Kyle,
Pardon me, but I’m going to jump in again. You need to decide what’s best for you, as you know your situation better.
Having said that, CCENT, in my opinion is jumping in deeper than you may need to in the beginning. Again, CISSP is general security, fundamentals, and a mile wide, and might serve better right now to put all the pieces together.
At the same time, I have to admit I wish I had dived into networking more myself, as it would have made some of the more complicated concepts easier to understand. But if you’re set on networking, go for it; it certainly won’t hurt you, and it will be fascinating.
I trust you’ll know which fork to take when the path divides. Let us know how it goes as you move down your path. Wish you the best, Mack.
LikeLike
That’s part of the issue I am facing now.
For those coming in from technical IT, the path is more like Technical > Functional, which translate to progressive technical certs like CCNA, A+ towards a generic one like CISA, CISSP. I referred to some forums and the general consensus if that CISSP is for “later” stage.
However, your comments brought me to a different perspective. As I come from a completely functional background, CISSP can help me to understand the whole IT/security landscape, which I really need now.
Having that said, I will get some materials on CISSP to start myself up. CCENT is a really fun read though. HA! Let’s keep in touch :)
LikeLike